Security Onion and McAfee SIEM

[Jimmy Payne]

I am just curious if anyone has every has success sending alerts from security onion to a mcafee SIEM. I found the write up online about editing the conf file for each sensor. I think I did that correctly. I am not very well versed in Linux but I am going to post a sanitized version of what I added and see if there is something I may have missed. It looks like the following:

output log_syslog_full: sensor_name XXXXX-eth1-1, server XXX.XX.1.192, log_priority log_alert, operation_mode default

output log_syslog_full: sensor_name XXXXX-eth1-2, server XXX.XX.1.192, log_priority log_alert, operation_mode default

output log_syslog_full: sensor_name XXXXX-eth2-1, server XXX.XX.1.192, log_priority log_alert, operation_mode default

output log_syslog_full: sensor_name XXXXX-eth2-2, server XXX.XX.1.192, log_priority log_alert, operation_mode default

I restarted the sensors after this with no results. I then rebooted the entire server, no results. I have no IP addresses assigned to Eth1 and Eth2 because they are sensors listening from a spanned port.

[Doug Burks]

Hi Jimmy,

As mentioned at
https://code.google.com/p/security-onion/wiki/ThirdPartyIntegration,
we don't really provide free support for third party systems.

Here are some links you can refer to:

https://groups.google.com/d/topic/security-onion/Ixgnl0IUsd4/discussion

https://groups.google.com/d/topic/security-onion/MgarbwDirEQ/discussion

https://groups.google.com/d/topic/security-onion/DA_V6Uq6rNY/discussion

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Ric Woodard]

Hey Jimmy,

I've had success forwarding syslog to both Tenable SecurityCenter and LogRhythm SIEM. On the master server, I edited /etc/syslog-ng/syslog-ng.conf and added the following:

--

# This line specifies where the sguild.log file is located, and informs syslog-ng to tail the file, the program_override inserts the string sguil_alert into the string

source s_sguil { file("/var/log/nsm/securityonion/sguild.log" program_override("sguil_alert")); };


# This line filters on the string “Alert Received”

filter f_sguil { match("Alert Received"); };


# This line tells syslog-ng to send the data to SIEM
destination d_lce { udp("x.x.x.x" port(514)); };
destination d_syslog { udp("x.x.x.x" port(514)); };

----

Where d_lce indicates the appropriate SecurityCenter server and d_syslog being the LogRhythm server.

It also works with the way you've done it by editing /etc/nsm/SENSOR/barnyard2.conf - restart the syslog service and look at all traffic between the IDS and SIEM to see if it is forwarding any logs. If you find that it is forwarding logs then you may need to look at the SIEM. I'm not familiar with McAfee but it would help to narrow down the issue and find out if it's simply not forwarding the logs or if it is forwarding and the SIEM is not recognizing them.

[Ric Woodard]

See the link Doug provided for the rest of necessary changes if you choose to try the other method.

[Jimmy Payne]

Thank you Ric. I am giving that a shot now. I am not much of a linux guy yet so some of it is confusing to me but maybe I am getting it. :)

[Ric Woodard]

I know the feeling. I wasn't much of a Linux guy myself until I was tasked to build our IDS. It will come natural soon enough!

[Jimmy Payne]

On Friday, November 14, 2014 6:30:59 PM UTC-5, Ric Woodard wrote:
> I know the feeling. I wasn't much of a Linux guy myself until I was tasked to build our IDS. It will come natural soon enough!

I must be totally misunderstanding something. I have added all the lines from all of the sources where I have gained information and I still do not see logs coming into my SIEM. I am going to go glack and read every file again.

[Ric Woodard]

Have you tried looking at the traffic going to your SIEM to see if any logs are being sent? Are the alerts showing up in Sguil?

[Jimmy Payne]

Yes it looks like there are VERY few packets going from my SO box to my SIEM receiver.  Before I get too excited, I didnt really know any other way to check sguil other than the gui. SO i logged in to my box, opened sguil and was presented with a box that looks like this. I thought I already set this up once. Surely it doesnt have to be set up every time, right? I dont even know if this is the issue. Forgive my ignorance.

On Mon, Nov 17, 2014 at 1:24 PM, Ric Woodard <ricwo...@gmail.com> wrote:

Have you tried looking at the traffic going to your SIEM to see if any logs are being sent? Are the alerts showing up in Sguil?

[Doug Burks]

Just click "Select All" and then click "Start Sguil".

[Jimmy Payne]

Yes I did that and while there are events in Sguil, it doesnt seem to be an appropriate number of events. I may have just drop back and punt and upgrade my Dragon stuff. I was trying to get away from having to do that again. I just don't know if I have the time to try to figure all of his one out. I would much rather learn this but dang it sure seems to be a beast.

[Doug Burks]

Please run the following command:

sudo sostat-redacted

There will be a lot of output, so you may need to increase your terminal's scroll buffer OR redirect the output of the command to a file:

sudo sostat-redacted > sostat-redacted.txt 2>&1

sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses, but there may be additional sensitive info that you still need to redact manually.

Attach the output to your email in plain text format (.txt) OR use a service like http://pastebin.com.

On Mon, Nov 17, 2014 at 2:54 PM, Jimmy Payne <jim...@gmail.com> wrote:
>
> Yes I did that and while there are events in Sguil, it doesnt seem to be an appropriate number of events. I may have just drop back and punt and upgrade my Dragon stuff. I was trying to get away from having to do that again. I just don't know if I have the time to try to figure all of his one out. I would much rather learn this but dang it sure seems to be a beast.
>
> On Mon, Nov 17, 2014 at 2:48 PM, Doug Burks <doug....@gmail.com> wrote:
>>
>> Just click "Select All" and then click "Start Sguil".
>>
>> On Mon, Nov 17, 2014 at 2:38 PM, Jimmy Payne <jim...@gmail.com> wrote:
>>>
>>> Yes it looks like there are VERY few packets going from my SO box to my SIEM receiver.  Before I get too excited, I didnt really know any other way to check sguil other than the gui. SO i logged in to my box, opened sguil and was presented with a box that looks like this. I thought I already set this up once. Surely it doesnt have to be set up every time, right? I dont even know if this is the issue. Forgive my ignorance.
>>>

[Jimmy Payne]

AS requested.

[Doug Burks]

From your sostat output:

Please install updates:
124 packages can be updated.
77 updates are security updates.
https://code.google.com/p/security-onion/wiki/Upgrade

if you don't need http_agent (you probably don't), disable it:
* http_agent (sguil)[ OK ]
https://code.google.com/p/security-onion/wiki/DisablingProcesses

barnyard2 is failed:
* barnyard2-2 (spooler, unified2 format)[ FAIL ]
* stale PID file found, process will be restarted at the next
5-minute interval!
Check the log file in /var/log/nsm/HOSTNAME-INTERFACE/ for additional clues.

Snort is dropping lots of packets:
=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/SO-server-eth1/snort-1.stats last reported
pkt_drop_percent as 50.926
/nsm/sensor_data/SO-server-eth1/snort-2.stats last reported
pkt_drop_percent as 75.072
/nsm/sensor_data/SO-server-eth2/snort-1.stats last reported
pkt_drop_percent as 68.424
/nsm/sensor_data/SO-server-eth2/snort-2.stats last reported
pkt_drop_percent as 74.421
You'll need to disable some NIDS rules:
https://code.google.com/p/security-onion/wiki/ManagingAlerts

You have a high number of uncategorized events:
=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
279544
https://code.google.com/p/security-onion/wiki/FAQ#What_does_it_mean_if_I_have_a_high_number_of_Sguil_Uncategorized

syslog-ng appears to be down:
Syslog-ng
Checking for process:
Checking for connection:
nc: connect to localhost port 514 (tcp) failed: Connection refused